b' WEAKNESSES IDENTIFIED DURING THE \n\nFY 2010 FEDERAL INFORMATION SECURITY \n\n       MANAGEMENT ACT REVIEW \n\n\n\n             Report Number: 11-06 \n\n          Date Issued: January 28, 2011 \n\n\x0c              u.s. Small Business Administration\n              Office Inspector General              Memorandum\n     To: \t   Paul T. Christy                                           Date:   January 28, 2011\n             Chief Information Officer\n\n             lSI original signed\n\n  From: \t    Peter L. McClintock \n\n             Deputy Inspector General \n\n\nSubject: \t   Report on the Audit of SBA\'s Compliance with the Federal Information Security\n             Management Act for FY 2010\n             Report No. 11-06\n\n              The Federal Information Security Management Act (FISMA) of 2002 provides a\n              comprehensive framework for ensuring the effectiveness of information security\n              controls over information resources that support Federal operations and assets.\n              The Act requires (1) agencies to implement a set of minimum controls to protect\n              Federal information and information systems; and (2) the agencies\' Office of\n              Inspector General (OIG) annually perform independent evaluations of the\n              information security program and practices of that agency to determine its\n              effectiveness. Finally, the Act directs the National Institute of Standards and\n              Technology (NIST) to develop standards and guidelines for implementing its\n              requirements in coordination with the Office of Management and Budget (OMB).\n\n              On April 21, 2010 OMB issued Memorandum 10-15, FY 2010 Reporting\n              Instructions for the Federal Information System Management Act and Agency\n              Privacy Management; providing instructions for agency\'s to meet their FY 2010\n              reporting requirements under FISMA. This memorandum requires IGs to evaluate\n              agency compliance in ten information security program areas: (1) Certification and\n              Accreditation (C&A); (2) Configuration Management; (3) Security Incident\n              Management; (4) Security Training; (5) Remediation/Plan of Actions and\n              Milestones (POA&M); (6) Remote Access; (7) Identity Management; (8)\n              Continuous Monitoring; (9) Contractor Oversight; and (10) Contingency Plans.\n              The objective of our FY 2010 review was to evaluate the effectiveness of SBA\'s\n\x0c                                                                                                                2\n\n\ncomputer security program and practices in these areas in accordance with\napplicable Federal requirements 1 .\n\nTo assess SBA\'s compliance in the OMB information security program areas, we\nreviewed agency documentation, interviewed program management officials, and\nperformed reliability tests on agency-provided reports. Additionally, we selected\njudgmental samples of agency systems to conduct detailed analysis of their\ncompliance with C&A, POA&M, and contingency planning requirements.\n\nDuring the course of our FISMA review, we received an anonymous complaint\nalleging that contractors located in the IT security division were performing work\non behalf of the agency without having obtained the necessary security clearances.\nThe complaint also stated that these contractors had access to sensitive SBA\ninformation. In response to this allegation, we requested and reviewed SBA\nsecurity clearance documentation for IT security contractors and interviewed\nAgency officials responsible for clearing contractors and granting network access.\n\nWe performed the audit work between August 20 10 and November 20 lOin\naccordance with Government Auditing Standards prescribed by the Comptroller\nGeneral of the United States.\n\nBACKGROUND\n\nFISMA requires OIGs to perform annual independent evaluations of their\nagency\'s information security program and practices to determine its\neffectiveness. Since 2003, we have performed annual reviews of SBA\'s\ncompliance with FISMA standards and guidelines established by NIS T and\nreported our results to OMB. Previous OIG reviews identified and reported\nweaknesses in SBA compliance with requirements over information system\nconfiguration management, the development and management of ISAs,\ncertification and accreditation of major information systems, and the identification\nand management of system vulnerabilities (i.e. POA&M). Additionally, during\nthe course of our FY 2008 FISMA review, we determined that SBA did not\nconsistently ensure that contractors were properly vetted prior to granting them\naccess to sensitive SBA systems and data.\n\nIn 2004, we conducted an audit ofSBA\'s Continuity of Operations Planning\n(COOP) Program. This audit identified significant deficiencies with SBA\'s\ncontinuity of operation and disaster response capabilities. Specifically, the audit\n\n\n1   Applicable Federal guidance include those provided in NIST Federal Information Processing Standards (FIPS) and\n     Special Publications (SP) as well as OMB Circulars and Memoranda.\n\x0c                                                                                   3\n\n\nfound that SBA IT system disaster recovery plans were not adequate to ensure the\nrecovery of its mission critical systems. As a result, SBA stated that it would\ndevelop and test recovery plans for its mission critical systems and revise the plans\naccordingly.\n\nIn FY 2009, SBA changed its IT security contractor and awarded a contract to\nGlacier Technologies, LLC to provide IT security support and information\nassurance measures and controls in accordance with FISMA, OMB Circular A\xc2\xad\nBO, Appendix III, Security ofFederal Automated Information Resources, and\nrelevant SBA Standard Operating Procedures (SOPs).\n\nRESULTS IN BRIEF\n\nOur audit identified that significant improvements are needed in critical computer\nsecurity areas in order for SBA to fully meet the requirements set forth in FISMA\nand OMB Circular A-130. We found that SBA did not maintain a complete and\naccurate inventory of system interfaces as required by FISMA. SBA also had not\nobtained interconnection security agreements (ISAs) for all systems that connect\nto other systems, as required by OMB Circular A-130. Only 5 of 26 systems with\nexternal interconnections currently had an ISA. ISAs are necessary to document\nthe controls the system receiving SBA data must provide in order to protect its\nconfidentiality, integrity and availability. Without interface inventories and ISAs,\nSBA cannot specify what data is transmitted from system to system and whether\nappropriate controls and adequate security are afforded to SBA data residing in\nexternal systems.\n\nSBA did not have comprehensive and integrated configuration management\npolicies and procedures, hardware and software inventories, and baseline\nconfigurations for all its systems, as required by FISMA and NIST guidance. As a\nresult, systems may not be appropriately configured to provide adequate security\nover SBA information.\n\nWe also found that SBA did not properly identify, implement and assess baseline\nsecurity controls as part of its system C&A process. Federal guidance requires\nthat information systems be categorized according to risk and baseline controls\nselected and implemented based on their risk categorization. We found a system\nwith baseline controls that were insufficient for its risk category; a high-risk\nsystem with its controls assessed as if it were a moderate-risk system; and a\nsystem certified and accredited using baseline controls from outdated and less\nstringent NIST guidance. As a result, SBA mission critical information systems\nmay have inadequate and ineffective security controls, and control failures may\nnot be appropriately identified for corrective action.\n\x0c                                                                                     4\n\n\nSBA did not track all the POA&M vulnerability information that OMB requires,\nadhere to planned remediation dates, and update the plan in a timely manner. As a\nresult, the agency is unable to link security costs to security performance, cannot\nensure that all weaknesses are included in the POA&M, and may remove un\xc2\xad\nremediated weaknesses from the POA&M, exposing the agency\'s systems to\nsignificant risk.\n\nOur audit also disclosed that SBA did not develop or could not provide evidence it\nhad developed system disaster recovery plans for [FOIA ex. 2]\nAdditionally, during FY 2010, SBA did not test the disaster recovery plans for\n[FOIA ex. 2]          As a result, SBA may be unable to restore its mission critical\nand major information systems within acceptable timeframes after a disaster.\n\nDuring the course of our FISMA review, we received an anonymous complaint\nalleging that contractors located in the IT security division had access to sensitive\ninformation and were performing work on behalf of the agency without having\nobtained the necessary security clearances. We found that 17 of the 32 contractors\nwe reviewed began working for SBA prior to the completion of their preliminary\nsecurity clearance. As a result, SBA exposed itself to increased risk of\nunauthorized use and/or disclosure of sensitive and personally identifiable\ninformation.\n\nFinally, several of our findings relating to FISMA noncompliance fall within the\nresponsibilities of SBA\' s IT security contractor. An agency analysis of its\ncontract with Glacier Technologies, LLC determined that many of the contract\nrequirements were not being satisfied. While SBA has initiated corrective actions\nto ensure that its IT security contractor meets the provisions of its contract,\ncontinued oversight is needed to improve SBA\' s compliance with FISMA and\nother federal IT security requirements.\n\nIn order to address the deficiencies identified, we recommended that SBA: (1)\nupdate its major systems list to include all interfaces and obtain written ISAs for\nevery system interconnection; (2) establish a program at SBA to manage, control\nand monitor system interconnections throughout their lifecycle; (3) develop\nconfiguration management policies and procedures; (4) develop and maintain a\ncentralized inventory of all agency hardware and software; (5) develop and\ndocument baseline configurations for each information system; (6) revise the SBA\nC&A procedures to reflect the risk management framework approach established\nin NIST SP 800-37, Rev. 1 and current POA&M guidance; (7) re-evaluate\n [FOIA ex. 2]        and[FOIA ex. 2Jsecurity controls at the appropriate risk category\nusing current NIST guidance; (8) modify the POA&M reporting tool to comply\nwith OMB requirements; (9) develop and test system disaster recovery plans\nannually for major systems and implement corrective actions based on test results;\n\x0c                                                                                       5\n\n\n(10) enforce the agency SOP for contractor background investigations and perform\nperiodic reviews to ensure compliance; and (11) conduct quality reviews of\ndeliverables and quarterly reviews of IT security contractor performance. SBA\nmanagement expressed concurrence with our recommendations.\n\nRESULTS\n\nSBA Has Not Developed a Complete Inventory of System Interconnections\nand Interconnection Security Agreements Have Not Been Established\n\nSBA did not maintain a complete inventory of system interfaces to its major\nsystems as required by FISMA. We reviewed seven SBA information systems\nand determined that interconnections identified in the C&A documentation were\nnot included in SBA\'s interconnection inventory. Further, 13 of the\ninterconnections not included in the interconnection inventory were to systems\nthat are outside of the agency\'s control.\n\nSBA could not provide evidence that it has established ISAs with all\ninterconnected systems as required in OMB Circular A-130. We requested copies\nof ISAs for all SBA systems. In response, SBA only provided the audit team with\nfour ISAs covering two major systems. However, SBA\'s interconnection\ninventory indicates that there are 24 systems with interconnections that require\nISAs.\n\nFISMA requires that an agencies major system inventory "shall include an\nidentification of the interfaces between each system and all other systems and\nnetworks, including those not operated by or under the control of the agency."\nAdditionally, OMB Circular A-130 Appendix III requires prior written\nmanagement authorization for system interconnections. For major applications,\nthe Circular requires that shared information be given a level of protection that is\ncomparable to the protection provided while residing within the source\napplication. The Circular also requires that for authorized interconnections,\ncontrols be established consistent with NIST guidance.\n\nWithout a centralized management program for system interconnections, SBA\ncannot ensure that all interconnections will be documented in an ISA and\nnecessary controls implemented, as required by Federal regulation. Additionally,\nwithout an inventory of interconnections and corresponding ISAs, SBA is not in a\nposition to know which data is transmitted among its systems and to external\nsystems; whether appropriate risk-based controls are applied to the data in the\nexternal systems; and whether external entities agree to adhere to SBA\'s rules of\nbehavior.\n\x0c                                                                                    6\n\n\n\n\nSBA Had Not Developed Comprehensive Configuration Management Policies\nand Procedures and Had Not Inventoried or Established Baseline\nConfigurations for All Systems.\n\nFISMA requires every agency to develop an information security program that\nincludes policies and procedures that ensure compliance with agency-determined\nminimally acceptable system configuration requirements. NIS T Special\nPublication (SP) 800-53, Recommended Security Controls for Federal Information\nSystems requires agencies to develop configuration management policy that\naddresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance. This guidance also\nrequires agencies to develop procedures to facilitate the implementation of the\nconfiguration management policy. While SBA has established some configuration\npolicies and procedures that relate to specific systems or networks, the agency had\nnot developed an integrated agency-wide configuration management policy and\nassociated procedures.\n\nWe found that SBA had not established baseline configurations for all hardware\nand software systems. SBA could not provide baseline configurations for many of\nSBA\'s major information systems, including financial systems such as the\n[FOIA ex. 2]                                   and      [FOIA ex. 2]\n          The Office of Chief Information Officer (OCIO) was also unable to\nprovide auditors with baseline configurations for all hardware (i.e. switches,\nprinters).\n\nSBA did not maintain complete inventories of its software and hardware. The\nsoftware inventory provided during our review included only client-side software\nderived from Systems Management Server (SMS) scans. SMS scans only detect\nsoftware on devices that have an active connection to the agency network. Other\nsoftware applications, including maiar systems [FOIA ex. 2]\n                                      were not included in the software inventory\nprovided by SBA. The hardware inventory provided to the auditors was also not\ncomplete. It included only hardware with Microsoft operating systems installed\nthat were directly attached to the SBA network.\n\nNIST Federal Information Processing Standard (FIPS) 200, Minimum Security\nRequirements for Federal Information and Information Systems, specifies\nminimum security requirements for Federal information and information systems\nin seventeen security-related areas. In the configuration management security\narea, FIPS 200 states: "Organizations must: (i) establish and maintain baseline\n\x0c                                                                                    7\n\n\nconfigurations and inventories of organizational information systems (including\nhardware, software, firmware, and documentation) throughout the respective\nsystem development life cycles; and (ii) establish and enforce security\nconfiguration settings for information technology products employed in\norganizational information systems."\n\nSecurity configuration management provides an important function for\nestablishing and maintaining secure information system configurations and\nprovides important support for managing risks in information systems. Without an\nagency-wide configuration management policy, individual systems may adopt\nconfigurations that are not risk-appropriate. Without complete hardware and\nsoftware inventories, systems or system components may escape the configuration\nmanagement process altogether. Systems without configuration baselines may not\nimplement critical controls and therefore lack the security that is commensurate\nwith the risk and magnitude of harm resulting from the loss, misuse or\nunauthorized modification of the information they contain.\n\nSBA Needs to Improve its Certification and Accreditation Process\n\nDuring our FISMA review of SBA\'s C&A process, we identified weaknesses in\nSBA\'s procedures and the identification, application, and assessment of system\nbaseline security controls. We found that while SBA has developed procedures to\nmanage its C&A process, these procedures were outdated and were not reflective\nof the current NIS T guidance over system security authorization and system\ncontrol assessment. Additionally, these procedures had not been revised to\ncorrectly describe the agency-wide POA&M process. Finally, our review of\nsystem C&A packages found that three systems either did not adequately assess\nsystem security controls in accordance with NIST SP 800-53A guidance or the\nminimum baseline security controls were not appropriately selected up-front for\nassessment.\n\nFor two major systems      [FOIA ex. 2]                        we noted the\nfollowing:\n\n   \xe2\x80\xa2   SBA\' S       [FOIA ex. 2]           is rated as a "High" priority system under\n       FIPS 199, "Standards for Security Categorization ofFederal Information\n       and Information System, " due to the level of confidentiality, integrity and\n       availability of the information it supports. While it appeared that the\n       appropriate baseline system security controls were selected for this system,\n       these baseline controls were only tested at the "Moderate" level during the\n       security control assessment phase.\n\x0c                                                                                    8\n\n\n   \xe2\x80\xa2 \t SBA\'s [FOIA ex. 2]           was re-certified and accredited in April 2010\n       after a significant change in its control environment due to the migration to\n       a new hosting provider. During the C&A process, however, SBA did not\n       utilize current guidance in NIST SP 800-53 Revision 3, published in\n       August 2009, which introduced additional controls and control\n       enhancements for application to Federal information systems.\n\nNIST SP 800-53A provides guidelines for assessing the effectiveness of security\ncontrols defined in NIST SP 800-53 based on the system FIPS 199 security\ncategorization. Systems with higher impact levels require more comprehensive\nsecurity control baselines and assessments of these security control baselines at\nthis higher level.\n\nAdditionally, FIPS 200 requires federal agencies to comply with revisions in NIST\nSpecial Publications within one year. The guidance specifically states, "Federal\nagencies will have up to one year from the date of final publication to fully\ncomply with the changes but are encouraged to initiate compliance activities\nimmediately." Further, OMB Memorandum 10-15 states that for legacy systems\nundergoing significant changes, agencies are expected to be in compliance with\nthe most recent NIS T publications immediately upon deployment of the\ninformation system.\n\nAs a result of the weaknesses identified in SBA\'s C&A program, system controls\nin SBA      [FOIA ex. 2] information systems may not be implemented or operating\neffectively and control failures may not be appropriately identified for corrective\naction.\n\nSBA\'s POA&M Program Reporting Tool Did Not Adequately Track\nWeaknesses, Provide Accurate Estimated Dates for Remediation, and Was\nNot Updated Timely\n\nSBA\'s POA&M reporting tool did not include or sufficiently track all required\nfields. OMB M-04-25, "FY 2004 Reporting Instructions for the Federal\nInformation Security Management Act", identifies eight fields to be tracked by an\nagency\'s POA&M process. In FY 2010, SBA migrated its centralized POA&M\ndatabase to its             [FOIA ex. 2]       in order to provide transparency and\naccountability over information system vulnerabilities. We commend SBA\'s\neffort to increase visibility of its POA&M and responsibility for the mitigation of\nsystem vulnerabilities. However, the current SBA reporting tool did not\nadequately track the following risk mitigation fields: funding resources, changes to\nmilestones, how the weakness was identified (i.e. source), and the status.\n\x0c                                                                                      9\n\n\nDuring our FISMA review of SBA\'s POA&M process, we found that weaknesses\nwere not adequately managed and that SBA did not sufficiently mitigate\nvulnerabilities by the estimated remediation date. For two major SBA systems,\nvulnerabilities either detected through internal system scans or IG reports were not\nplaced into the system\'s POA&M for remediation. Additionally, SBA closed two\n"Medium" risk vulnerabilities for its       [FOIA ex. 2]         without completing\nthe proposed actions to remediate the vulnerabilities. Finally, for three major SBA\nsystems, initial estimated remediation dates for system vulnerabilities were\nmissed. For example,       [FOIA ex. 2]             had four "High" risk\nvulnerabilities still umesolved from its C&A in 2006. These vulnerabilities were\ninitially scheduled to be completed by March 2007.\n\nWe also found that SBA\'s POA&M reporting tool was not updated on a timely\nbasis. System owners were often non-responsive to OCIO requests for quarterly\nsystem vulnerability status updates. For example, system owners for four major\nSBA systems did not respond to OCIO information requests for over six months.\n\nOMB Memorandum 04-25 provides guidance to agencies to implement their\nagency-wide POA&M process. It requires that POA&Ms be established for all\nagency information systems with identified vulnerabilities and that security costs\nfor a system be linked to its security performance. POA&Ms should include all\nknown security weaknesses, including weaknesses identified in audits and critical\ninfrastructure vulnerability assessments. The memorandum also establishes\nmandatory fields and information agency POA&Ms must include and requires\nprogram officials to update the agency Chief Information Officer (CIO) on their\nprogress on a quarterly basis.\n\nThe purpose of a POA&M program is to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security\nweaknesses found in programs and systems. Without a comprehensive,\ndocumented, and functioning POA&M process, the agency will be unable to link\nsecurity costs to security performance and weaknesses may be accidently omitted\nor closed without satisfactory remediation exposing the SBA\'s systems to\nsignificant risk.\n\nSBA\'s Continuity of Operations Planning and Testing Program for Mission\nCritical Information Systems Needed Significant Improvement\n\nDuring our FISMA review of SBA\'s COOP Program, we found that system\ndisaster recovery plans had not been developed or tested. SBA was unable to\nprovide evidence that it had developed system contingency plans fOl[ex. 2iDf its [ex. 2]\nmajor systems. Additionally, SBA documentation supported that only [ex. 2]major\nsystems received recovery tests during the year.\n\x0c                                                                                     10\n\n\n\nSBA SOP 90-47-2 "Automated Information System Security Program" states that\na disaster recovery plan must be prepared and tested semi-annually for each major\napplication system, each regional and district accounting information system, the\nOffice of Financial Operations, and SBA\'s mainframe computer center.\nAdditionally, NIST SP 800-34, Contingency Planning Guide for Federal\nInformation Systems, states that information system contingency plan testing is a\ncritical element of a viable contingency capability. Testing enables plan\ndeficiencies to be identified and addressed by validating one or more of the system\ncomponents and the operability of the plan.\n\nWithout documented system recovery plans that have been tested to ensure their\neffectiveness, SBA may be unable to restore its    [FOIA ex. 2]  majOr\ninformation systems within established timeframes.\n\nSBA IT Security Contractors Were Permitted Access to Sensitive\nInformation and Secured Areas Without Required Clearances\n\nWhile performing our FISMA review, we received an anonymous complaint\nalleging that contractors located in the IT security division were performing work\non behalf of the agency without having obtained the necessary security clearances.\nIn response to this allegation, we compared OCIO IT Security contractor start\ndates with background clearance forms provided by OCIO and found that 17 of 32\ncontractors performed work on behalf of the agency prior to being cleared. Some\nof these contractors were operating in SBA\'s security operations center which\nallowed physical access to sensitive information and systems.\n\nAdditionally, our review of system POA&Ms identified two ongoing\nvulnerabilities related to contractor background investigations. Specifically, the\nPOA&M for SBA\'s           [FOIAex.2]      identified that contractors had not\nundergone SBA background investigations and their company-sponsored\nbackground investigations did not meet Federal criteria. Additionally, the\nPOA&M for SBA\'s             [FOIA ex. 2]         identified that background\ninvestigations were not performed for contractor personnel responsible for daily\nsystem operations.\n\nOMB Circular A-l30 requires Federal agencies to screen individuals applying for\naccess to government data and systems based on the level of risk presented by\ntheir access. SBA SOP 90-47-2 classifies all SBA data as sensitive and requires\nall contractor personnel to undergo background investigations. In addition,\ncontractor personnel occupying positions designated as critical-sensitive cannot be\ngiven access to sensitive data until an appropriate security clearance has been\ngranted. SBA requires that SBA Form 1228, Computer Access\n\x0c                                                                                 11 \n\n\n\nClearance/Security, be used to request all network account access for new\ncontractor employees.\n\nDespite SBA\'s requirement that contractors occupying positions sensitive in\nnature must receive prior clearance, this requirement was not adhered to for many\nof the contractors performing IT security functions for the agency. Without\nensuring that contractors meet the agency standards for character and integrity,\nSBA is exposing itself to increased risk for unauthorized use and/or disclosure of\nsensitive and personally identifiable information.\n\nSBA Needs to Improve Oversight of the IT Security Contract\n\nWe noted that several of our findings relating to FISMA noncompliance fell\nwithin the existing performance work statement between SBA and its IT security\ncontractor. These areas included maintaining system inventories, coordinating\nISAs, configuration management and control, performing certification and\naccreditations of SBA systems, managing SBA\'s POA&M process, and providing\nsupport to SBA in the development of continuity of operation plans. Under the\ncontract, Glacier Technologies, LLC is also responsible for incident response,\nsecurity awareness training and the continuous monitoring of security controls.\n\nIn September 2010, the Acting Chief Information Security Officer performed an\nanalysis of SBA\'s contract with Glacier Technologies, LLC and found that many\nof the contract requirements were not being satisfied. As a result, SBA issued\nrecommendations to the contractor and established milestones for compliance.\n\nWe commend SBA on taking actions to ensure that its IT security contractor meet\nthe provisions of its contract. However, the contract provides for SBA to conduct\ncontinuous quality assurance reviews and quarterly performance reviews of the\nabove activities. We believe that ongoing oversight is needed to ensure all work\nproducts meet established Federal quality standards.\n\nRECOMMENDATIONS\n\nWe recommend that the Chief Information Officer:\n\n  1. \t   Update the list of Major Systems to include all the interfaces between each\n         system and all other systems and networks, including those not operated by,\n         or under the control of the agency and obtain written Interconnection\n         Security Agreements for every SBA system that has an interconnection to\n         another system.\n\n 2. \t    Establish a program at SBA to manage, control and monitor system \n\n         interconnections throughout their lifecycle. The program should \n\n\x0c                                                                                    12\n\n\n       encompass planning, establishing, maintaining and terminating system\n       interconnections, including enforcement of security requirements.\n\n3. \t   Develop configuration management policies and procedures that address\n       purpose, scope, roles, responsibilities, management commitment,\n       coordination among organizational entities, and compliance.\n\n4. \t   Develop and maintain a centralized inventory of all agency hardware and\n       software.\n\n5. \t   Develop and document baseline configurations for each information system\n       and maintain the baseline under configuration control.\n\n6. \t   Revise the SBA Certification and Accreditation Program Description\n       procedural document to reflect the risk management framework approach\n       established in NIST SP SOO-37, Rev. 1 and the current POA&M process.\n\n7. \t   Re-evaluate the technical, operational and management controls of\n        [FOIA ex. 2]       and[FOIA ex. 2]at the appropriate FIPS 199 level using\n       guidance provided by NIST SP SOO-53 and NIST SP SOO-53A.\n\nS. \t   Modify the POA&M reporting tool to comply with the requirements set\n       forth in OMB Memorandum 04-25.\n\n9. \t   Develop and test system disaster recovery plans for all of SBA\'s major\n       systems at least annually and initiate any necessary corrective actions based\n       on test results.\n\n10. \t Enforce SOP 90-47 2 requirements for contractor background\n      investigations and perform periodic reviews to ensure that SBA contractors\n      have completed the clearance process prior to accessing sensitive\n      information.\n\n11. \t Perform continuous quality assurance reviews of deliverables and qualierly\n      reviews of IT security contractor performance to ensure all applicable areas\n      of OMB and NIST compliance criteria are met.\n\x0c                                                                                    13\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nOn December 23,2010, we provided the Chief Information Officer with the draft\nreport for comment. On January 21,2011, the Chief Information Officer\nsubmitted a formal response, which is contained in its entirety in Appendix I. The\nresponse expressed concurrence with all of the recommendations presented in this\nreport.\n\n\nACTIONS REQUIRED\n\nPlease provide your management decision for each recommendation on the\nattached SBA forms 1824, Recommendation Action Sheet, within 30 days from\nthe date of this report. Your decision should identify the specific action( s) taken or\nplanned for each recommendation and the target date( s) for completion.\n\nWe appreciate the courtesies and cooperation of the OCIO during this audit. If\nyou have any questions concerning this report, please call me at (202) 205-i(ex. 2] or\nJeffrey Brindle, the Director, Information Technology and Financial Management\nGroup at (202) 205- [ex. 2]\n\x0c                                                                                           14\n\n\n  APPENDIX I. MANAGEMENT COMMENTS \n\n\n\n\n\n                          u.s. SMALL BUSINESS ADMINISTRATION\n                                    WASHINGTON,   D.C. 20416\n\n\n\n\nDate:           January 21,2011\n\nTo:             Peter L. McClintock\n                Deputy Inspector General\n\n\nFrom: \t         Paul T. Christy\n                Chief Information Officer\n\nSubject: \t      Draft Report on the Audit of SBA\' s Compliance with the\n                Federal Information Security Management Act for FY\n                2010\n\n\n  The Office of Chief Information Officer has reviewed and concurs with the findings\n  posted in the draft report. Further explanation of corrective action will be provided in the\n  Management Decision.\n\n  If you require additional information, please contact Ja\'Nelle DeVore on 202-205-[ex. 2]\n\x0c'